Differences

This shows you the differences between two versions of the page.

--- tutorial:adm:server_preparation_win [2019/06/03 12:40]
cernym [HTTPd installation and configuration]
+++ tutorial:adm:server_preparation_win [2024/01/10 10:38] (current)
koulaj [Java]
@@ Line 7: / Line 7: @@
 ===== Basic system setup =====
   * 1 server (can be virtualized) for everything: backend, frontend and database.
-  * OS Windows, ideally W2012 and newer
+  * OS Windows, ideally W2016 and newer
-  * PostgreSQL - installed from OpenSCG
+  * PostgreSQL - installed from EnterpriseDB
-  * Java - installed from Oracle JDK
+  * Java - OpenJDK
   * Apache Tomcat - installed by Tomcat .exe installer
   * Services start via system services (services.msc)
 ===== Instalation and software configuration =====
-Prerequisities - Basic installation of Windows Server 2012.
+Prerequisities - Basic installation of Windows Server 2016.
   * Install the **Telnet Client** system feature through **Programs and Features**. This is optional but greatly helps with debugging network problems.
   * Install [[https://www.mozilla.org/|Firefox]]. Also optional, but greatly helps with debugging IdM webapp problems.
@@ Line 23: / Line 23: @@
   * Disable Microsoft IIS if installed.
 ===== PostgreSQL =====
-On Windows, we use [[https://www.openscg.com/bigsql/postgresql/installers/|OpenSCG]] PostgreSQL distribution, version at least 9.6.
+On Windows, we use [[https://www.enterprisedb.com/downloads/postgres-postgresql-downloads|EnterpriseDB]] PostgreSQL distribution. Recommended version is 12.x.
-  * Leave locations at default.
+  * For installation, basically follow [[https://www.enterprisedb.com/edb-docs/d/postgresql/installation-getting-started/installation-guide-installers/12/invoking_the_graphical_installer.html|the official guide]].
-  * Make sure you check the option to install the windows service.
+  * Set location for binaries to ''C:\PostgreSQL\12''.
+  * Set location for database to ''C:\PostgreSQL\12\data''.
+  * Install all components (pgAdmin, StackBuilder, etc.).
+  * Leave the locale at ''[Default locale]'', we will set locale explicitly when creating a database.
+  * After installation, check the Windows services - the ''postgresql-x86_64'' service should be there, configured with autostart.
+    * To enter services menu, get to the Start->Run and invoke ''services.msc''.
-Open the elevated shell (right-click on cmd and select "run as admin") and install the pgAdmin:
+Edit the PostgreSQL configuration file ''C:\PostgreSQL\12\data\postgresql.conf'' to make it listen on 127.0.0.1 only. Adjust the database sizing as necessary. The following example is for 6GB RAM. Do not hasten to overwrite your PgSQL configuration out of hand! When in doubt, use a [[https://pgtune.leopard.in.ua/|calculator]].
 <code>
-cd c:/postgresql
+# DB Version: 12
-pgc install pgadmin3
+# OS Type: windows
-</code>
+# DB Type: web
-If your server does not have Internet access, you can download and install pgAdmin from [[https://www.pgadmin.org/|here]].
+# Total Memory (RAM): 6 GB
+# CPUs num: 4
+# Connections num: 100
+# Data Storage: hdd
-Edit the PostgreSQL configuration file ''C:\PostgreSQL\data\pg96\postgresql.conf'' to make it listen on 127.0.0.1 only. Adjust the database sizing as necessary. The following example is for 6GB RAM. Do not hasten to overwrite your PgSQL configuration out of hand! When in doubt, use a [[https://pgtune.leopard.in.ua/|calculator]].
-<code>
 listen_addresses = '127.0.0.1'		# what IP address(es) to listen on;
-port = 5432				# (change requires restart)
+max_connections = 100			# (change requires restart)
-max_connections = 150			# (change requires restart)
 superuser_reserved_connections = 3	# (change requires restart)
 shared_buffers = 512MB			# min 128kB
-work_mem = 12815kB			# min 64kB
+work_mem = 9611kB			# min 64kB
 maintenance_work_mem = 384MB
-dynamic_shared_memory_type = windows	# the default is the first option
-wal_level = hot_standby
+wal_buffers = 16MB
-wal_buffers = 16MB			# min 32kB, -1 sets based on shared_buffers
+max_wal_size = 4GB
-max_wal_size = 2GB
 min_wal_size = 1GB
 checkpoint_completion_target = 0.7	# checkpoint target duration, 0.0 - 1.0
-max_wal_senders = 5
-wal_keep_segments = 32
-max_replication_slots = 5
 effective_cache_size = 4608MB
 default_statistics_target = 100		# range 1-10000
-logging_collector = on
+random_page_cost = 4
-log_directory = 'C:/POSTGR~1/data/logs/pg96'
+effective_cache_size = 4608MB
-log_filename = 'postgresql-%a.log'
+max_worker_processes = 4
-log_truncate_on_rotation = on
+max_parallel_workers_per_gather = 2
-log_checkpoints = on
+max_parallel_workers = 4
-log_line_prefix =  '%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h '
+max_parallel_maintenance_workers = 2
-log_lock_waits = on
-log_temp_files = 0
-log_timezone = 'Europe/Belgrade'
-update_process_title = off
 track_io_timing = on
 log_autovacuum_min_duration = 0
-datestyle = 'iso, mdy'
-timezone = 'Europe/Belgrade'
-lc_messages = 'English_United States.1252'			# locale for system error message
-lc_monetary = 'English_United States.1252'			# locale for monetary formatting
-lc_numeric = 'English_United States.1252'			# locale for number formatting
-lc_time = 'English_United States.1252'				# locale for time formatting
-default_text_search_config = 'pg_catalog.english'
 </code>
-Configure the authentication in the ''C:\PostgreSQL\data\pg96\pg_hba.conf'' to accept passwords. The basic configuration file should then look like this:
+Configure the authentication in the ''C:\PostgreSQL\12\data\pg_hba.conf'' to accept passwords. The basic configuration file should then look like this:
 <code>
 # TYPE  DATABASE        USER            CIDR-ADDRESS            METHOD
@@ Line 81: / Line 73: @@
 # IPv4 local & remote connections:
 host    all             all             127.0.0.1/32            md5
-host    all             all             0.0.0.0/0               md5
 # IPv6 local connections:
 host    all             all             ::1/128                 md5
 </code>
-Open Windows services' dialogue (Win+r and type **services.msc** therein). Look for the "PostgreSQL 9.6 Server" service and set its ''StartupType'' to ''Automatic''. Then start the service.
+<note>If you install the database onto a server distinct from the one on which the CzechIdM application itself (Tomcat etc.) is deployed, don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
-<note>If you install the database onto a server distinct from the one on which the CzechIdM application itself (Tomcat etc.) is mounted, don't forget to configure PostgreSQL to allow remote SSL connection from that server.</note>
 ===== Java =====
-Install the Oracle JDK (minimal version is 1.8). You can download it from [[http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html|here]]. Be sure to download the **JDK**, and not only **JRE**.
-Install the Java into a standard directory in Program Files. Having finished the installation, it is necessary to set up ''JAVA\_HOME'' and ''PATH'' variables. Open the **sysdm.cpl** (Win+r ant type sysdm.cpl) dialogue and navigate to ''> Advanced > Environment Variables''. Add system-wide variable ''JAVA\_HOME=C:\Program Files\Java\jdk1.8.0\_152'' (**adjust the path accordingly to the Java version you just installed**). Add the ''%JAVA_HOME%\bin'' to the ''PATH''. Then run ''java -version'' from the windows cmd to check if it is working properly.
+Install the openjdk (preferred version is 11.0.2, for CzechIdm 13.1.0+ Java 21 is needed). You can download it from [[https://jdk.java.net/archive/|here]]. Be sure to download the **JDK**, and not only **JRE**.
+=== OpenJDK Installation ===
+Crete directory ''C:\Program Files\Java\'' and extract there downloaded zip. Then set path and JAVA HOME:
+   * Open the **sysdm.cpl**  (Win+r ant type sysdm.cpl) dialogue and navigate to ''> Advanced > Environment Variables''
+  * Add this line to PATH variable.
+<code>
+%JAVA_HOME%\bin
+</code>
+  * Add new variable ''JAVA_HOME''  with value ''C:\Program Files\Java\jdk-11.0.2''
+  * Then run ''java -version''  from the windows cmd to check if it is working properly.
 ===== Tomcat =====
-Download and install the latest 8.5 branch of Apache Tomcat from [[https://tomcat.apache.org/download-80.cgi|here]]. Use the Windows installer.
-  * Leave the installation paths on default.
-  * Let the setup create ''admin'' user for the Tomcat console.
-  * Modify the ''JRE path'' to make it point to installe Oracle **JDK**.
-  * Do not install the example application.
-  * Let the setup create a Tomcat windows service.
-After installation, run the **Monitor Tomcat** application from the Start menu. Configure following settings:
+Download and install the latest 9.0 branch of Apache Tomcat from [[https://tomcat.apache.org/download-90.cgi|here]]. Use the Windows installer.
-  * ''initial memory pool: 512MB'' (example for about 5GB RAM).
-  * ''maximum memory pool: 4096MB'' (example for about 5GB RAM).
-  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\\*;'' to the **beginning of the** ''CLASSPATH''.
-Configure addresses the server will listen on. Open the ''server.xml'' configuration file in the Tomcat installation. Make these changes:
+  * Agree with licence agreement
-  * Add ''address="127.0.0.1"'' to the **8080/tcp** and **8009/tcp** connectors. This will make Tomcat listen only on localhost.
+  * Deselect ''Manager''  from components and click ''Next''
-  * Change port number ''8005'' to ''-1'' at the Shutdown Port setting. This will effectively turn off the shutdown port.
+  * Set shutdown port to "-1" and connector port to "8080" and click ''Next''
+  * Modify the ''JRE path''  to make it point to installed openjde **JDK**  and click ''Next''
+  * Leave the installation path on default and click ''Install''
+  * When it's done deselect option "start tomcat" and click ''finish''.
+You can also use Tomcat 9.0.45 and newer, those installers set the service account to ''Local Service''  themselves.</note>
+After installation, run the **Monitor Tomcat**  application from the Start menu (or run ''Tomcat9w.exe''  from the Tomcat bin directory - usually ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\bin''). Configure following settings:
+  * ''initial memory pool: 512MB''  (example for about 5GB RAM).
+  * ''maximum memory pool: 4096MB''  (example for about 5GB RAM).
+  * Add ''C:\CzechIdM\etc;C:\CzechIdM\lib;C:\CzechIdM\lib\*;''  to the **beginning of the**''CLASSPATH''.
+Configure addresses the server will listen on. Open the ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\server.xml''  configuration file in the Tomcat installation. Make these changes:
+  * Add ''address="127.0.0.1"''  to the **8080/tcp**  and **8009/tcp**  connectors. This will make Tomcat listen only on localhost.
+  * Change port number ''8005''  to ''-1''  at the Shutdown Port setting. This will effectively turn off the shutdown port.
+  * In the section for ''Connector protocol="HTTP/1.1"''  on port 8080, add the ''maxSwallowSize="-1"''  property.
+  * Uncomment the section ''Connector protocol="AJP/1.3"''  for the port 8009 and adjust the address parameter: ''address="127.0.0.1"'',''secretRequired="true"''  and ''secret="password for ajp port" ''. It should look like this:
+<code>
+    <Connector protocol="AJP/1.3"
+               address="127.0.0.1"
+               port="8009"
+               redirectPort="8443"
+               secretRequired="true"
+               secret="***password for ajp port***"
+               />
+</code>
+Use the **services.msc**  dialogue to set the Apache Tomcat ''StartupType''  to ''Automatic (Delayed Start)''. This will make the application container start after the PostgreSQL database. <note important>For production use, we strongly advise to remove all Tomcat's management applications from the container.
+  * Locate the ''webapps''  folder in the Tomcat installation and delete everything that is inside.
-Use the **services.msc** dialogue to set the Apache Tomcat ''StartupType'' to ''Automatic (Delayed Start)''. This will make the application container start after the PostgreSQL database.
-<note important>For production use, we strongly advise to remove all Tomcat's management applications from the container.
-  * Locate the ''webapps'' folder in the Tomcat installation and delete everything that is inside.
 </note>
-For roles and advanced management configuration, please see the relevant chapters in the [[tutorial:adm:server_preparation|Server Preparation - Linux]] tutorial.
+For roles and advanced management configuration, please see the relevant chapters in the [[.:server_preparation|Server Preparation - Linux]] tutorial.
+==== Change Tomcat logging properties ====
+In order to set-up log rotation we need stop logging to stdout and start logging to catalina.log .
+After change of these tomcat setting and setting-up **logback-spring.xml** in [[.:czechidm_installation_win#create_czechidm_configuration|create_czechidm_configuration]] IdM will log into catalina.out and after day rotate it into catalina.YYYY-MM-DD.log. Tomcat engine will log into tomcat.log and no totate because there are only log of tomat start. Tomcat will log logs of IdM connectors into tomcat-stdout tomcat9-stdout.YYYY-MM-DD.log - it's well knows bug with workaround to make manual log rotation.
+Make these changes in file ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\logging.properties'': Comment out console handler. We don't want tomcat to log to stdout or stderr and other unnesesary logs.
+<code>
+handlers = 1catalina.org.apache.juli.AsyncFileHandler
+#handlers =  java.util.logging.ConsoleHandler, 2localhost.org.apache.juli.AsyncFileHandler, 3manager.org.apache.juli.AsyncFileHandler, 4host-manager.org.apache.juli.AsyncFileHandler
+.handlers = 1catalina.org.apache.juli.AsyncFileHandler
+#.handlers = java.util.logging.ConsoleHandler,
+###2localhost.org.apache.juli.AsyncFileHandler.level = FINE
+###2localhost.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+###2localhost.org.apache.juli.AsyncFileHandler.prefix = localhost.
+###2localhost.org.apache.juli.AsyncFileHandler.maxDays = 90
+###2localhost.org.apache.juli.AsyncFileHandler.encoding = UTF-8
+###3manager.org.apache.juli.AsyncFileHandler.level = FINE
+###3manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+###3manager.org.apache.juli.AsyncFileHandler.prefix = manager.
+###3manager.org.apache.juli.AsyncFileHandler.maxDays = 90
+###3manager.org.apache.juli.AsyncFileHandler.encoding = UTF-8
+###4host-manager.org.apache.juli.AsyncFileHandler.level = FINE
+###4host-manager.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+###4host-manager.org.apache.juli.AsyncFileHandler.prefix = host-manager.
+###4host-manager.org.apache.juli.AsyncFileHandler.maxDays = 90
+###4host-manager.org.apache.juli.AsyncFileHandler.encoding = UTF-8
+###java.util.logging.ConsoleHandler.level = FINE
+###java.util.logging.ConsoleHandler.formatter = org.apache.juli.OneLineFormatter
+###java.util.logging.ConsoleHandler.encoding = UTF-8
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.AsyncFileHandler
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = 3manager.org.apache.juli.AsyncFileHandler
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
+#org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = 4host-manager.org.apache.juli.AsyncFileHandler
+</code>
+In 1catalina file handler change log level to "INFO" and prefix from "catalina" to "tomcat". Also set property rotable to "false". Tomcat write to this file only when starting or shutting down.
+<code>
+#1catalina.org.apache.juli.AsyncFileHandler.level = FINE
+#1catalina.org.apache.juli.AsyncFileHandler.prefix = catalina.
+catalina.org.apache.juli.AsyncFileHandler.level = INFO
+catalina.org.apache.juli.AsyncFileHandler.directory = ${catalina.base}/logs
+catalina.org.apache.juli.AsyncFileHandler.prefix = tomcat
+catalina.org.apache.juli.AsyncFileHandler.rotatable = false
+catalina.org.apache.juli.AsyncFileHandler.suffix = .log
+</code>
+Then in file ''C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\server.xml'' remove creation of access logs. Coment out org.apache.catalina.valves.AccessLogValve.'' ''
+<code>
+    <!--   <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t "%r" %s %b" /> -->
+</code>
 ====== Apache httpd as a reverse proxy ======
@@ Line 127: / Line 221: @@
 ===== HTTPd installation and configuration =====
-First, install necessary [[https://go.microsoft.com/fwlink/?LinkId=746572|VCredist library]].
+First, install necessary [[https://aka.ms/vs/16/release/vc_redist.x64.exe|VCredist library]].
 Download Apache HTTPd from the [[https://www.apachelounge.com/download/VC15/binaries/|apachelounge distribution]] and unpack it into ''C:\apache24'' folder.
@@ Line 133: / Line 228: @@
 Fire up an elevated shell and install the Apache HTTPd service:
 <code>
 cd C:\apache24\bin
 httpd.exe -k install
 </code>
-Open the **services.msc** and reconfigure "Apache2.4" service to have ''StartupType=Automatic (Delayed start)''.
+Open the **services.msc** and reconfigure "Apache2.4" service:
-Configure the HTTPd in its core config file ''C:\Apache24\conf\httpd.conf''. You can use the following file, just replace values for ''ServerAdmin'' and ''ServerName''.
+   * To have ''StartupType=Automatic (Delayed start)''.
-<file apache httpd.conf>
+  * To execute under ''Local Service''  user. (On the "Log On" card, set user to ''Local Service'', delete contents of password fields and click Apply.)
-ServerRoot "c:/Apache24"
-Listen 80
+Configure the HTTPd in its core config file ''C:\Apache24\conf\httpd.conf''.
+<file apache httpd.conf>
+#uncomment these modules
 LoadModule access_compat_module modules/mod_access_compat.so
-LoadModule actions_module modules/mod_actions.so
-LoadModule alias_module modules/mod_alias.so
-LoadModule allowmethods_module modules/mod_allowmethods.so
-LoadModule asis_module modules/mod_asis.so
-LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule authn_core_module modules/mod_authn_core.so
-LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authz_core_module modules/mod_authz_core.so
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
-LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule autoindex_module modules/mod_autoindex.so
-LoadModule cgi_module modules/mod_cgi.so
 LoadModule deflate_module modules/mod_deflate.so
-LoadModule dir_module modules/mod_dir.so
-LoadModule env_module modules/mod_env.so
 LoadModule filter_module modules/mod_filter.so
+LoadModule http2_module modules/mod_http2.so
 LoadModule headers_module modules/mod_headers.so
-LoadModule include_module modules/mod_include.so
-LoadModule isapi_module modules/mod_isapi.so
-LoadModule log_config_module modules/mod_log_config.so
-#LoadModule log_debug_module modules/mod_log_debug.so
-LoadModule mime_module modules/mod_mime.so
-#LoadModule mime_magic_module modules/mod_mime_magic.so
-LoadModule negotiation_module modules/mod_negotiation.so
 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
-#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
-#LoadModule proxy_connect_module modules/mod_proxy_connect.so
-#LoadModule proxy_express_module modules/mod_proxy_express.so
-#LoadModule proxy_html_module modules/mod_proxy_html.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
-#LoadModule reqtimeout_module modules/mod_reqtimeout.so
 LoadModule rewrite_module modules/mod_rewrite.so
-LoadModule setenvif_module modules/mod_setenvif.so
 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
 LoadModule ssl_module modules/mod_ssl.so
 LoadModule unique_id_module modules/mod_unique_id.so
-#LoadModule vhost_alias_module modules/mod_vhost_alias.so
-LoadModule security2_module modules/mod_security2.so
-<IfModule unixd_module>
+#add modsecurity module:
-# jsme na oknech, tohle se nepouzije
+    LoadModule security2_module modules/mod_security2.so
-    User daemon
-    Group daemon
-</IfModule>
-# 'Main' server configuration
+#change ServerName and Server Admin
-#
 ServerAdmin root@demo.czechidm.com
 ServerName demo.czechidm.com
-<Directory />
+#uncomment include vhosts a ssl configuration
-    AllowOverride none
-    Require all denied
-</Directory>
-DocumentRoot "c:/Apache24/htdocs"
-<Directory "c:/Apache24/htdocs">
-    Options -Indexes -FollowSymLinks -MultiViews
-    AllowOverride None
-    Require all granted
-</Directory>
-<IfModule dir_module>
-    DirectoryIndex index.html
-</IfModule>
-<Files ".ht*">
-    Require all denied
-</Files>
-ErrorLog "logs/error.log"
-LogLevel warn
-<IfModule log_config_module>
-    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-    LogFormat "%h %l %u %t \"%r\" %>s %b" common
-    <IfModule logio_module>
-      # You need to enable mod_logio.c to use %I and %O
-      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-    </IfModule>
-    CustomLog "logs/access.log" common
-    #CustomLog "logs/access.log" combined
-</IfModule>
-<IfModule alias_module>
-    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"
-</IfModule>
-<IfModule cgid_module>
-    #Scriptsock cgisock
-</IfModule>
-<Directory "c:/Apache24/cgi-bin">
-    AllowOverride None
-    Options None
-    Require all granted
-</Directory>
-<IfModule headers_module>
-    RequestHeader unset Proxy early
-</IfModule>
-<IfModule mime_module>
-    TypesConfig conf/mime.types
-    AddType application/x-compress .Z
-    AddType application/x-gzip .gz .tgz
-</IfModule>
-# Virtual hosts
 Include conf/extra/httpd-vhosts.conf
-# Configure mod_proxy_html to understand HTML4/XHTML1
-<IfModule proxy_html_module>
-    Include conf/extra/proxy-html.conf
-</IfModule>
-# Secure (SSL/TLS) connections
 Include conf/extra/httpd-ssl.conf
-# Note: The following must must be present to support
+# Include modsec configuration if module is loaded
-#       starting without SSL on platforms with no /dev/random equivalent
-#       but a statically compiled-in mod_ssl.
-<IfModule ssl_module>
-    SSLRandomSeed startup builtin
-    SSLRandomSeed connect builtin
-</IfModule>
-# Include modsec
-# if you do not want to use it, comment-out the section below
 <IfModule mod_security2.c>
     Include conf/extra/modsec.conf
 </IfModule>
 </file>
-Configure the HTTP->HTTPS redirect in the ''C:\Apache24\conf\extra\httpd-vhosts.conf''. Replace ''demo.czechidm.com'' with the name of your server:
+Configure the HTTP→HTTPS redirect in the ''C:\Apache24\conf\extra\httpd-vhosts.conf''. Replace ''demo.czechidm.com''  with the name of your server. Comment other template vhost which you don't need:
 <file apache httpd-vhosts.conf>
 # Virtual Hosts
@@ Line 300: / Line 294: @@
 #    Redirect / https://demo.czechidm.com
 </VirtualHost>
 </file>
-Configure the HTTPS virtual host in the ''C:\Apache24\conf\extra\httpd-ssl.conf'' file. Change ''demo.czechidm.com'' to the name of your server.
+Configure the HTTPS virtual host in the ''C:\Apache24\conf\extra\httpd-ssl.conf''  file. Change ''demo.czechidm.com''  to the name of your server. <note>In some cases older clients (i.e. IE10 and older, Java6, etc.) will not be able to communicate with IdM due to the SSL settings. If this is your case, you may need to slacken the cipher settings a bit.</note>
 <file apache httpd-ssl.conf>
 Listen 443
-SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
+SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:!LOW:!RC4:!3DES+SHA:!IDEA
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 SSLHonorCipherOrder on
-SSLProtocol all -SSLv2 -SSLv3
+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLProxyProtocol all -SSLv2 -SSLv3
 SSLPassPhraseDialog  builtin
@@ Line 341: / Line 337: @@
 # workaround for bad font handling in IE 11
 <LocationMatch "/idm/.*(\.ttf|\.woff2|\.eot)$">
         Header set Cache-Control "no-cache, public, must-revalidate, proxy-revalidate"
 </LocationMatch>
+Protocols       https/1.1
 ProxyRequests     off
 ProxyPreserveHost on
 ProxyAddHeaders on
-ProxyPass / ajp://127.0.0.1:8009/
+ProxyPass / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
-ProxyPassReverse / ajp://127.0.0.1:8009/
+ProxyPassReverse / ajp://127.0.0.1:8009/ secret=**tomcat_ajp_secret**
 RewriteEngine On
@@ Line 357: / Line 354: @@
         SecRuleRemoveById 960015
         SecRuleRemoveById 950109
         # Allow Czech signs
         SecRuleRemoveById 981318
@@ Line 363: / Line 360: @@
         SecRuleRemoveById 960024
         SecRuleRemoveById 981245
         # Too restrictive for login format
         SecRuleRemoveById 960035
         # Needed by Websockets
         <Location "/idm/api/v1/websocket-info/">
                 SecRuleRemoveById 970901
         </Location>
         # These break Certificate Authority module
-        <Location "/idm/api/v1/crt/certificates/action/validate">
+        <Location "/idm/api/v1/crt/certificates">
                 SecRuleRemoveById 960915
                 SecRuleRemoveById 200003
         </Location>
+    # Modsec can throw false positives on some files due to multipart boundary check
+    <Location "/idm/api/v1/attachments/upload">
+        SecRuleRemoveById 960915
+        SecRuleRemoveById 200003
+    </Location>
         # do not log request/response body
-        SecAuditLogParts ABFHZ
+        SecAuditLogParts AFHZ
 </IfModule>
@@ Line 407: / Line 410: @@
         AddOutputFilterByType DEFLATE application/json
         AddOutputFilterByType DEFLATE application/hal+json
         # Remove browser bugs (only needed for really old browsers)
         BrowserMatch ^Mozilla/4 gzip-only-text/html
@@ Line 416: / Line 419: @@
 </VirtualHost>
 </file>
-Supply SSL certificate and key in x509 PEM form to ''c:/Apache24/conf/server.key'' and ''c:/Apache24/conf/server.crt'' files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates, use for example [[https://www.akadia.com/services/ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl** tool from the Git Bash prompt.
+Supply SSL certificate and key in x509 PEM form to ''c:/Apache24/conf/server.key''  and ''c:/Apache24/conf/server.crt''  files. Apache HTTPd will not start without those files. If you need to generate some ad-hoc certificates, use for example [[https://www.akadia.com/services/ssh_test_certificate.html|this guide]]. You can easily invoke the **openssl**  tool from the Git Bash prompt.
+Self-signed cert and key for testing purposes can be created like this:
+<code>
+openssl req -x509 -newkey rsa:4096 -keyout server.key -out server.crt -days 365 -nodes
+</code>
 ===== mod_security installation =====
-Download the mod\_security module from the [[https://www.apachelounge.com/download/VC15/modules/mod_security-2.9.2-win64-VC15.zip|Apache Lounge project]].
+Download the mod\_security module v 2.x from the [[https://www.apachelounge.com/download/VS16/modules/mod_security-2.9.3-win64-VS16.zip|Apache Lounge project]].
 Unpack the zip and perform following actions:
   * Copy the ''mod\_security2.so'' int ''C:\Apache24\modules'' directory.
-  * Copy ''libcurl.dll'' and ''yajl.dll'' into ''C:\Apache24\bin'' directory.
+  * Copy ''yajl.dll'' into ''C:\Apache24\bin'' directory.
 Create general mod\_security configuration file ''C:\Apache24\conf\extra\modsec.conf'':
@@ Line 485: / Line 498: @@
 Create empty directories ''C:\Apache24\modsec\_tmp'' and ''C:\Apache24\modsec\_lib'' for mod_security working data.
-Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https://www.modsecurity.org/|Mod Security project homepage]]. **Remember to obtain 2.x version of rules, not the newest 3.x version!**
+Mod\_security will become operational but will have no filtering rules. To obtain filtering rules, please visit [[https://github.com/coreruleset/coreruleset/releases/tag/2.2.9|Mod Security project git]]. **Remember to obtain 2.x version of rules, not the newest 3.x version!**
-<note>For commercial deployment of CzechIdM, we have prepared a pack of mod\_security rules which you need to just unpack into ''C:\Apache24\conf'' directory, where it creates a ''modsecurity\_win.d'' folder full of rules. {{ :priv:modsecurity_win.d.zip | Mod Security rules package}} (login required).</note>
+Create directory ''C:\Apache24\conf\modsecurity\_win.d\activated\_rules''.
+From downloaded zip copy all rules from ''coreruleset-2.2.9.zip\coreruleset-2.2.9\base\_rules'' to ''C:\Apache24\conf\modsecurity\_win.d\activated\_rules''.
+Then downloaded zip copy rule configuration ''coreruleset-2.2.9.zip\coreruleset-2.2.9\modsecurity\_crs\_10\_setup.conf.example'' to ''C:\Apache24\conf\modsecurity\_win.d\modsecurity\_crs\_10\_config.conf''.
+<note>For commercial deployment of CzechIdM, we have prepared a pack of mod\_security rules which you need to just unpack into ''C:\Apache24\conf'' directory, where it creates a ''modsecurity\_win.d'' folder full of rules. {{ :priv:modsecurity_win.d.zip | Mod Security rules package}} (login required).
+</note>
+Now in file ''C:\Apache24\conf\modsecurity\_win.d\modsecurity\_crs\_10\_config.conf'' change rule ''900012'' to look like this:
+<code>
+SecAction \
+  "id:'900012', \
+  phase:1, \
+  t:none, \
+  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE', \
+  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json|application/hal+json|text/plain', \
+  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2.0', \
+  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \
+  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \
+  nolog, \
+  pass"
+</code>
 Now you can start the Apache HTTPd using its service. If it fails to start, check the Windows EventLog for errors.